Skillv1.0.0

ClawScan security

Voiceover Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 5:00 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions, required credential (NEMO_TOKEN), and network calls are coherent with a cloud voiceover service — no code is installed locally — but the source is unknown and a small metadata mismatch warrants caution.
Guidance: This skill is coherent with a cloud voiceover service: it expects (or will mint) a NEMO_TOKEN and uploads your videos to https://mega-api-prod.nemovideo.ai for processing. Before installing or using it: (1) confirm you trust the unknown source/host, since there is no homepage or author link; (2) avoid uploading sensitive or private videos unless you accept remote processing and storage; (3) note the skill can mint an anonymous token (100 free credits, 7-day expiry) if NEMO_TOKEN is missing — this is normal but means jobs are tied to that anonymous account; (4) ask the maintainer to reconcile the small metadata mismatch (SKILL.md lists ~/.config/nemovideo/ while registry metadata shows no config paths) so you can verify what local config (if any) the skill will access; (5) if you need stronger assurance, request the skill's source or an official homepage and/or review network requests while using the skill (e.g., via a proxy) to verify endpoints and payloads. Because the skill has no install script or local code, the main risk is data exposure to the external API rather than local compromise.

Review Dimensions

Purpose & Capability: okName/description (AI voiceovers for uploaded videos) match the required credential (NEMO_TOKEN) and the SKILL.md which describes cloud render, uploads, session creation, and export APIs. Asking for a bearer token to call a remote rendering API is expected for this purpose.
Instruction Scope: noteSKILL.md instructs the agent to check for NEMO_TOKEN, create an anonymous token via POST to https://mega-api-prod.nemovideo.ai if missing, create sessions, upload video files (multipart or by URL), and poll render status. All of these are within the stated purpose. Note: the skill will send user video/audio and associated metadata to an external service; it explicitly instructs not to expose tokens or raw API output. There are no instructions to read unrelated local files or additional environment variables beyond NEMO_TOKEN, aside from detecting install path for header attribution.
Install Mechanism: okNo install spec and no code files — instruction-only. This is lower risk because nothing is written to disk by an installer. The skill relies on network calls only.
Credentials: noteThe only declared required env var is NEMO_TOKEN (primaryEnv), which is appropriate for a cloud API. However, SKILL.md frontmatter also lists a config path (~/.config/nemovideo/) whereas the registry metadata reported no required config paths — this mismatch should be reconciled. The skill's fallback to create anonymous tokens does not require additional user secrets, but it will mint tokens server-side and use them for up to 7 days.
Persistence & Privilege: okalways:false (no forced inclusion). The skill holds session tokens and session_id for the lifetime of a job, which is necessary for the workflow. Autonomous invocation is allowed (platform default); combined with network access this means the skill can call the external API on its own when invoked, but it does not request elevated system-wide privileges or modify other skills.